SaaS HR platform PageUp has revealed “unusual activity on its IT infrastructure” and “revealed that we have some indicators that client data may have been compromised”.

There’s bad news and semi-ok news here: the bad is that the company isn’t sure what data was accessed, but thinks it was limited to “name and contact details” and “… could also include identification and authentication data e.g. usernames and passwords.”

The semi-ok news is that the passwords are hashed and salted.

[...] “We will also be informing the UK National Cyber Security Centre (NCSC),” the company’s statement says.
Which is all very responsible, but this gets worse because supermarket giant Coles has notified applicants that it “is among a number of large Australian organisations who may have been impacted by a data security incident at human resources technology provider PageUp.”

The breach, which was detected on 23 May and confirmed on 28 May, spawned public warnings that thousands of Australians’ personal details might have been stolen by unauthorised external parties.

Cybersecurity consultants were quick to highlight both the risk of the breach and its importance as a reminder of the implications of a breach that, in PageUp’s case, spans a wealth of jurisdictions covered by legislation including the European Union’s general data protection regulation (GDPR).
“The significance of this breach cannot be [overstated],” warned Forcepoint APAC director of sales engineering William Tam in a statement. “Given this is the first major breach to happen after the launch of the GDPR, it will be the first example of how action will be taken by the EU.”

“The unfortunate reality is that data breaches do happen, so it’s paramount that organisations pay close attention to their disclosure processes and prioritise transparency with their customers. It’s how organisations handle the breach from beginning to end that will have a lasting impact on customer trust and public perception.”

Whitbread is the latest big-name company to have been affected by a breach at a popular third-party recruitment platform provider, it has emerged.
The UK hotel and coffee shop operator has admitted that some current and prospective employees’ data may have been compromised, thanks to an incident last month at Australian supplier PageUp.

An email sent by Whitbread to those potentially affected claimed that data handed to the company during the recruitment process “may have been accessed and could potentially (in combination with other information) be used for identity theft,” according to the Irish Times.

Passwords were hashed using bcrypt and salted by the Aussie provider, but Whitebread is still advising individuals to change them if they shared the same credential across other sites.
The firm has also suspended its use of the third-party recruitment platform for now.

PageUp's breach update, posted on its website, closes the loop on what has proved to be a lengthy and challenging investigation into the incident, which the company discovered on May 23.

The company's conclusion, reached nearly six months after it learned it had been hacked, demonstrates how long it can take a company to thoroughly investigate a breach, as well as the backlash that companies may endure as investigators scramble to uncover facts.

"A detailed forensic investigation on the PageUp security incident in May this year has concluded that while an attacker was successful in installing tools that could exfiltrate data, no specific evidence was found that data was exfiltrated," the company says.